Gen.Variant.Hiloti.12_93965bee00

by malwarelabrobot on May 24th, 2017 in Malware Descriptions.

Worm:Win32/Vobfus (Microsoft), Trojan-Dropper.Win32.Agent.fqqa (Kaspersky), Trojan.Win32.Generic.pak!cobra (VIPRE), Trojan.DownLoader4.44965 (DrWeb), Trojan.Win32.Alureon!IK (Emsisoft), a variant of Win32/TrojanDropper.Agent.PMD (NOD32), Generic Dropper.yx (McAfee), Trojan.Win32.Alureon (Ikarus), Dropper.Agent.APYD (AVG), Win32:Alureon-AIK [Trj] (Avast), Gen:Variant.Hiloti.12 (AdAware), Worm.Win32.Vobfus.11.FD, Tdl4.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 93965bee000e1499dfbada3c784f975a
SHA1: 96b1937b9d49edde4443b676e0ab4e8c80d6f0df
SHA256: 3808dbdb696f5af39d24a03672e762f1f851f6d7052950217afa56400d8927fb
SSDeep: 6144:PAVtwoScHfMWcfuV9AbTEn41fPz8W1OPGwZvLkoQfzvmiFRMJ9kRvAhTVoU3BR2F:PAecHgWV95JhvLkhfj/FGgR62UxRmhV
Size: 650762 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2011-08-16 17:29:21
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2956
vurbo.exe:2044
sgacPDc4D6eg.exe:2932
rundll32.exe:3492
turbo.exe:1780

The Trojan injects its code into the following process(es):

bxstat.exe:684
ntvdm.exe:1004
wurbo.exe:2944
rundll32.exe:2524
vuiokuz.exe:2592
svchost.exe:860
spoolsv.exe:1224
Explorer.EXE:2024

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process bxstat.exe:684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\bxstat.dll (57 bytes)

The process %original file name%.exe:2956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\vurbo.exe (1124 bytes)
C:\Users\"%CurrentUserName%"\bxstat.dll (1484 bytes)
C:\Users\"%CurrentUserName%"\sgacPDc4D6eg.exe (2065 bytes)
C:\Users\"%CurrentUserName%"\wurbo.exe (56 bytes)
C:\Users\"%CurrentUserName%"\xurbo.exe (36 bytes)
C:\Users\"%CurrentUserName%"\bxstat.exe (56 bytes)
C:\Users\"%CurrentUserName%"\turbo.exe (1302 bytes)

The process vurbo.exe:2044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\vevdedg.dll (113 bytes)

The process ntvdm.exe:1004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsABE8.tmp (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsABF8.tmp (269 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsABE8.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsABF8.tmp (0 bytes)

The process wurbo.exe:2944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\rentsvr.exe (320 bytes)

The process sgacPDc4D6eg.exe:2932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\vuiokuz.exe (2001843 bytes)

The process turbo.exe:1780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\A0FF.tmp (673 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\A100.tmp (0 bytes)

Registry activity

The process vurbo.exe:2044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ypayahubozerahem]
"Rtizemahedilawe" = "45 01 37 03 47 05 36 07 3E 09 4C 0B 4F 0D 3E 0F"
"Ssugobed" = "43 01 38 03 58 05 53 07 7B 09 6F 0B 7E 0D 7D 0F"

The process wurbo.exe:2944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\wurbo_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\wurbo_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\wurbo_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\wurbo_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\wurbo_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\wurbo_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\wurbo_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\wurbo_RASAPI32]
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process sgacPDc4D6eg.exe:2932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"vuiokuz" = "C:\Users\"%CurrentUserName%"\vuiokuz.exe /P"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process rundll32.exe:2524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ypayahubozerahem]
"Fwazih" = "196"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Hwejagubina" = "rundll32.exe C:\Users\"%CurrentUserName%"\AppData\Local\vevdedg.dll,Startup"

The process rundll32.exe:3492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ypayahubozerahem]
"Ssugobed" = "43 01 38 03 58 05 53 07 7B 09 6F 0B 7E 0D 7D 0F"

The process vuiokuz.exe:2592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"vuiokuz" = "C:\Users\"%CurrentUserName%"\vuiokuz.exe /z"

The process turbo.exe:1780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\A4C8.tmp,"

Dropped PE files

MD5	File path
2607b52390d2bca9925b5ed559cf8de6	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\A4C8.tmp
2ebec35a8c1d5c3acc39e8b0fe0e66e2	c:\Users\"%CurrentUserName%"\AppData\Local\vevdedg.dll
c18c177197b4c0c96d560aed13f6b89d	c:\Users\"%CurrentUserName%"\bxstat.dll
de7b72c7865760dc94880386c8794e6b	c:\Users\"%CurrentUserName%"\bxstat.exe
e59ddb3930392d86689ebf7968569b9a	c:\Users\"%CurrentUserName%"\vuiokuz.exe
71d83a422d1538575295bb164735def3	c:\Users\"%CurrentUserName%"\vurbo.exe
44379e4d091b45f8ffb9a1b80005dd9a	c:\Users\"%CurrentUserName%"\wurbo.exe
a71a56d4740ea0a25799e2b951e274ba	c:\Users\"%CurrentUserName%"\xurbo.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "UNKNOWN" the Trojan controls loading executable images into a memory by installing the Load image notifier.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	109140	109568	4.5753	9d67cf1a3af11ad4c577269c3d5c97f4
.rdata	114688	29414	29696	3.23292	1c11525beac23725940d521558cc1103
.data	147456	19140	7680	2.8716	a033db0bb59720f853eba3cd33eec8b8
.rsrc	167936	3134	3584	3.20567	5ee3affe2eff6ac8f4b44c21bf52b323

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://goldencapitalsources.com/xxx	66.49.205.222
teredo.ipv6.microsoft.com	157.56.106.189
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Suspicious User-Agent (MSIE)

Traffic

GET /xxx HTTP/1.1

Pragma: no-cache

User-Agent: MSIE

Host: goldencapitalsources.com

Cache-Control: no-cache


HTTP/1.1 404 Not Found

Date: Tue, 23 May 2017 12:32:36 GMT

Server: Apache/2.4.23 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4

Content-Length: 320

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /xx
x was not found on this server.</p>.<p>Additionally, a 404
 Not Found.error was encountered while trying to use an ErrorDocument 
to handle the request.</p>.</body></html>...

The Trojan connects to the servers at the folowing location(s):

bxstat.exe_684:

.text

`.data

.link

.rloc

bxstat.exe

bxstat.dll

COMCTL32.DLL

GDI32.DLL

KERNEL32.DLL

OLE32.DLL

OLEAUT32.DLL

USER32.DLL

CreateDialogIndirectParamA

SetWindowsHookExA

wurbo.exe_2944:

.text

`.data

.link

.rloc

%SQVW

<.tBwIJ;

hXXp://goldencapit

GDI32.DLL

KERNEL32.DLL

OLE32.DLL

OLEAUT32.DLL

USER32.DLL

WININET.DLL

CreateDialogIndirectParamA

InternetOpenUrlA

xurbo.exe_1796:

.text

`.rdata

@.data

.rsrc

@.reloc

aim.exe

kernel32.dll

ntdll.dll

MSVCR90.dll

user32.dll

ICQ.exe

Ws2_32.dll

YahooMessenger.exe

YMSG

hey man its next data is %x

Xfire.exe

msgtype

WSOCK32.dll

msnmsgr.exe

hXXp://vidtube.cu.cc/?watch=HuKQAx&id=6

KERNEL32.dll

USER32.dll

Z:\iSpreader-IM_only\Release\iSpreader Release Version.pdb

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

xprt6.dll

ecoolcore59.dll

enspr4.dll

MySpaceIM.exe

rundll32.exe_2524:

.text

`.data

.rsrc

@.reloc

KERNEL32.dll

USER32.dll

msvcrt.dll

imagehlp.dll

ntdll.dll

Av.TBv

?.ulf

.ue9]

ole32.dll

_amsg_exit

_wcmdln

rundll32.pdb

name="Microsoft.Windows.Shell.rundll32"

version="5.1.0.0"

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

name="Microsoft.Windows.Shell.rundll32"

version="5.1.0.0"

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

{00000000-0000-0000-0000-000000000000}

\\?\Volume

\\?\UNC\

rundll32.exe

Windows host process (Rundll32)

6.1.7600.16385 (win7_rtm.090713-1255)

RUNDLL32.EXE

Windows

Operating System

6.1.7600.16385

rundll32.exe_2524_rwx_10000000_00001000:

.text

`.data

.reloc

ntvdm.exe_1004:

.text

`.data

.rsrc

@.reloc

KERNEL32.dll

NTDLL.DLL

ADVAPI32.dll

GDI32.dll

USER32.dll

sfc.dll

sfc_os.DLL

SHELL32.dll

RCv=kAv.SCvs

SoftPC

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

Invalid parameter passed to C runtime function.

GetProcessWindowStation

USER32.DLL

d:\w7rtm\base\mvdm\softpc.new\base\video\video.c

BIOS keyboard buffer overflow

hardware keyboard buffer overflow

%s Mouse %d.01 already installed

%s Mouse %d.01 installed

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_timer.c

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_eoi.c

C:\IBMBIO.SYS

C:\IO.SYS

C:\IBMDOS.SYS

C:\MSDOS.SYS

\ntio404.sys

\ntio411.sys

\ntio412.sys

\ntio804.sys

\ntio.sys

%s %lxh

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_com.c

d:\w7rtm\base\mvdm\softpc.new\host\src\config.c

Software\Microsoft\Windows NT\CurrentVersion\WOW\Console

\\.\$VDMLPT2

\\.\$VDMLPT3

\\.\$VDMLPT1

FONT.NT

\ega.cpi

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_fulsc.c

Drive %c:

Incompatible DOS diskette, C H R N = %d %d %d %d

\\.\A:

\\.\?:

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_event.c

cmd.exe

WINDOWS VMM 4.0

WINDOWS NT 3.1

WINDOWS 386 3.0

WINDOWS 286 3.0

\_default.pif

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_det.c

VrRemoveOpenNamedPipeInfo

VrConvertLocalNtPipeName

VrAddOpenNamedPipeInfo

VrIsNamedPipeHandle

VrIsNamedPipeName

VrWriteNamedPipe

VrReadNamedPipe

midiOutShortMsg

midiOutLongMsg

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_hosts.c

NtDeviceIoControlFile failed %x

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_sec.c

SoftPc: NtDeCommitVirtualMemory failed !!!! Status = %lx

NTVDMD.DLL

Check Keyboard Status

\ntdos404.sys

\ntdos411.sys

\ntdos412.sys

\ntdos804.sys

\ntdos.sys

demDosDispCall %s

config.nt

PIPE

%c:%sNUL

Software\Microsoft\Windows\CurrentVersion\Setup

Unimplemented SVC %d

Software\Microsoft\Windows NT\CurrentVersion\WOW

tmp dir is <%s>

env var is <%s>

InitFileRedirect:%s ;

RedirectShortFileName: to:<%s>

RedirectShortFileName: from <%s>

RedirectShortEnvVar: to <%s>

RedirectShortEnvVar: <%s>

RedirectLongFileName: to <%s>

RedirectLongFileName: <%s>

%SystemRoot%

%SystemDrive%\Temp

%SystemRoot%\Temp

%s=%s%s /p %s\system32

%s=%3.3u,%3.3u,%s\system32\%s.sys%s

Error Code 0x%x

Software\Microsoft\Windows NT\CurrentVersion\WOW\CmdLine

krnl386.exe

%s - %s

COMMAND.COM

KEYB

\KEYBOARD.SYS

\KEYJ31.SYS

\KEY02.SYS

\KEY01.SYS

\KEYAX.SYS

%s,%d,%s

\KB16.COM

DosKeybIDs

System\CurrentControlSet\Control\Keyboard Layout\

DosKeybCodes

00000409

Software\Microsoft\Windows NT\CurrentVersion\WOW\Compatibility

ntvdm.exe

d:\w7rtm\base\mvdm\dpmi32\buffer.c

Broken pipe

Inappropriate I/O control operation

Operation not permitted

ega.rom

vga.rom

v7vga.rom

bios4.rom

bios1.rom

profile.spc

.spcprofile

d:\w7rtm\base\mvdm\softpc.new\host\src\x86_emm.c

CS:x IP:x OP:x x x x x

ntvdm.pdb

YtYHt.Hut

t.VVVV

t.IIt

SSSSh

~,WSSh

QSSSSh

PSSSSh

SSSSSh

j.Yf;

9t.Ht

s'f;O%s!

V<%ue

tK<%uAj

Ht.HuL

t4HtPHt.Ht

Ht.Ht

|.WSV

GetCPInfo

GetConsoleOutputCP

NtEnumerateValueKey

NtOpenKey

ntdll.dll

RegCloseKey

RegQueryInfoKeyA

RegOpenKeyExA

GetSystemWindowsDirectoryA

GetWindowsDirectoryA

SetConsoleOutputCP

SetConsoleKeyShortcuts

VDMConsoleOperation

GetConsoleKeyboardLayoutNameA

EnumWindows

GetKeyState

VkKeyScanW

MapVirtualKeyA

GetKeyboardType

GetProcessHeap

SoftPcEoi

cmdCheckTemp

cmdCheckTempInit

demIsShortPathName

'?--?1-?6-?:-??-??-:?-6?-1?--?1-?6-?:-??-:?-6?-1?--?--?1-?6-?:-??-:?-6?-1?

$$$(((---222888???

!"#$%&'(

SoftPC-AT Version 3

89:;<=>?

autoexec.nt

00030<0?0

30333<3?3

<0<3<<<?<

?0?3?<???

!"#$%&'()

Software\Microsoft\Windows NT\CurrentVersion\Terminal Server

\System32\command.com

zcÁ

C:\Windows\system32\ntvdm.exe

\\.\B:

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

C:\Windows

6$6(6,606

< <*<`<~<

4L4K4Q4o4

7-8}8

;<<@<\<`<

2 2$2(2,2024282

KERNEL32.DLL

KERNELBASE.DLL

kernel32.dll

kernelbase.dll

Microsoft.Windows.NTVDM

tWOW32.DLL

VDMREDIR.DLL

WINMM.DLL

NTVDM.EXE

6.1.7600.16385 (win7_rtm.090713-1255)

Windows

Operating System

6.1.7600.16385

5The NTVDM CPU has encountered an illegal instruction."Internal error in NTVDM procedure.#NTVDM does not support a ROM BASIC.BFailure to allocate the requested number of Expanded Memory pages.*A continuous RESET state has been entered.

LAn installation file required by NTVDM is missing, execution must terminate.

Insufficient memory resources.=The NTVDM CPU has encountered an unsupported 386 instruction.TThe EMM command line in your config.nt contains invalid parameters or syntax errors.5The NTVDM CPU has encountered an unhandled exception.t

MS-DOS program files must end with the extension .EXE, .COM, or .BAT.

vAn application has attempted to %s, which cannot be supported. This may cause the application to function incorrectly./directly access an incompatible diskette format

16 bit Windows Subsystem

VThe system file is not suitable for running MS-DOS and Microsoft Windows applications."Memory error during intialization.

A temporary file needed for initialization could not be created or could not be written to. Make sure that the directory path exists, and disk space is available.-This system does not support fullscreen mode.?Insufficient memory to load installable Virtual Device Drivers.8Virtual Device Driver format in the registry is invalid.?An installable Virtual Device Driver failed Dll initialization.

Unable to lock for exclusive access. Another application may be using the drive. When the other application has finished using the drive you may retry the operation.

Drive %c: ZThe Application attempted to enable DOS graphics mode. DOS graphics mode is not supported.

Function failed$NTVDM has encountered a System Error*Driver does not support selected Baud Rate<The system cannot open %s port requested by the application.

conhost.exe_1240:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

Bv.SCv

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

ntvdm.exe_1004_rwx_00000000_00010000:

C:\USERS\ADM\RENTSVR.EXE

L\TEMP\SCSABF8.TMP

RENTSVR EXE

."/\[]:|<> =;,

c:\wina20.386

%WinDir%\SYSTEM32\COUNTRY.SYS

89:;<=>?

1234567890-=

!@#$%^&*()_

789-456 1230.

!"#$%&,-./012

C:\Users\adm

t.exe

%WinDir%\SYSTEM32\COMMAND.COM

%File allocation table bad, drive %1

Invalid COMMAND.COM

!Press any key to continue . . .

Cannot execute %1

Error in EXE file

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsABF8.tmp

arameter vaCOMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

OS=Windows_NT

PATH=C:\Perl\site\bin;C:\Perl\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WINDOW~1\v1.0\;c:\PROGRA~1\WIRESH~1

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC

PSMODULEPATH=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\

SYSTEMROOT=C:\Windows

WINDOWS_TRACING_FLAGS=3

WINDOWS_TRACING_LOGFILE=C:\BVTBin\Tests\installpackage\csilogfile.log

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

<p>The requested URL /xxx was not found on this server.</p>

\COMMAND.COM

COMSPEC=\COMMAND.COM

BMicrosoft(R) Windows DOS

FCOMMAND [[drive:]path] [device] [/E:nnnnn] [/P] [/C string] [/MSG]

H [drive:]path Specifies the directory containing COMMAND.COM file.

N /MSG Specifies that all error messages be stored in memory. You

%Intermediate file error during pipe

Switches may be preset in the DIRCMD environment variable. Override

>Quits the COMMAND.COM program (command interpreter).

]Displays or sets a search path for executable files.

$B | (pipe)

%Displays the MS-DOS version.

LRecords comments (remarks) in a batch file or CONFIG.SYS.

key to continue...."

PATH=PROMPT=COMSPEC=DIRCMD=

.COM.EXE.BAT?VBAPWRHSvDANEDSG

%WinDir%\SYSTEM32

[]|<> =;"

ntvdm.exe_1004_rwx_00010000_00090000:

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsABF8.tmp

89:;<=>?

D%WinDir%\SYSTEM32\HIMEM.SYS

Q001,437,%WinDir%\SYSTEM32\COUNTRY.SYS

S%WinDir%\SYSTEM32\COMMAND.COM

/P %WinDir%\SYSTEM32

/P %WinDir%\SYSTEM32

%WinDir%\SYSTEM32\COUNTRY.SYS

[]|<> =;"

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsABE8.tmp

%WinDir%\SYSTEM32\COMMAND.COM

NTCMDPROMPTT

Unrecognized command in CONFIG.SYS

Insufficient memory for COUNTRY.SYS file

Incorrect order in CONFIG.SYS line $Error in CONFIG.SYS line $WARNING! Logical drives past Z: exist and will be ignored

1234567890-=

!@#$%^&*()_

789-456 1230.

!"#$%&,-./012

00030<0?0

30333<3?3

<0<3<<<?<

?0?3?<???

Windows NT MS-DOS subsystem Mouse Driver

/)()(00)(

/@%}-{.Nb#b

t.exe

!Press any key to continue . . .

%Intermediate file error during pipe

Switches may be preset in the DIRCMD environment variable. Override

>Quits the COMMAND.COM program (command interpreter).

]Displays or sets a search path for executable files.

$B | (pipe)

%Displays the MS-DOS version.

LRecords comments (remarks) in a batch file or CONFIG.SYS.

key to continue...."

PATH=PROMPT=COMSPEC=DIRCMD=

.COM.EXE.BAT?VBAPWRHSvDANEDSG

%WinDir%\SYSTEM32\DOSX

NT.EXE

C:\USERS\ADM\RENTSVR.EXE

nt.exe

DOSX.EXE

ntvdm.exe_1004_rwx_000A0000_0002B000:

66666666

6666666666666666

6666666676666666

6666667076666666

66666666666

66666707666

66666666666666666666

66666666666707666666

6666666666666

89:;<=>?

'/7?-16:?

V M ware, Inc. VBE support 2.0

$o.o.oJo.o8o

ntvdm.exe_1004_rwx_000CB000_00011000:

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

OS=Windows_NT

PATH=C:\Perl\site\bin;C:\Perl\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WINDOW~1\v1.0\;c:\PROGRA~1\WIRESH~1

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC

PSMODULEPATH=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\

SYSTEMROOT=C:\Windows

WINDOWS_TRACING_FLAGS=3

WINDOWS_TRACING_LOGFILE=C:\BVTBin\Tests\installpackage\csilogfile.log

C:\Windows\system32\DOSX.EXE

C:\Windows\system32\mscdexnt.exe

C:\Windows\system32\redir

nt.exe

C:\LANMAN.DOS

C:\Windows\system32\dosx

C:\Windows\SYSTEM.INI

STEM.INI

SYSTEM.INI

ntvdm.exe_1004_rwx_000DC000_0000C000:

06/02/2011

000000000000

Keyboard

[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]

ntvdm.exe_1004_rwx_000E8000_00008000:

00030<0?0

30333<3?3

<0<3<<<?<

?0?3?<???

Windows NT MS-DOS subsystem Mouse Driver

ntvdm.exe_1004_rwx_000F0000_00010000:

:[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]

<%X8X

Operating System not found

Operating System not found, retrying boot now...

Operating System not found, retrying boot in

Windows XP Mode active

06/02/11

08:28:06

00/00/00

00:00:00

/8.BCPNV

1234567890-=

ntvdm.exe_1004_rwx_00100000_00010000:

/)()(00)(

/@%}-{.Nb#b

to run Windows in Enhanced Mode

69797:6%7'6

C%D%DGDGD8EyD

vuiokuz.exe_2592:

.text

`.data

.rsrc

MSVBVM60.DLL

C:\Whello world

VBA6.DLL

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

F%System%\stdole2.tlb

KeyDown

KeyPress

KeyUp

KeyCode

KeyAscii

CKuaIXrNjvSI.exe

svchost.exe_860_rwx_005B0000_0001A000:

Fmsvcrt.dll

%d %d %d %d %d %d

hXXps://

hXXp://

.com/

Global\C3819288-93FA-4E29-A254-BD9476B53C20

cfg.ini

%s\%s

bckfg.tmp

lsflt7.ver

0;225;224;77;38;56;16;74;75

maxhttpredirects

software\microsoft\windows\currentversion\internet settings

enablehttp1_1

software\microsoft\windows\currentversion\internet settings\zones\3

{AEBA21FA-782A-4A90-978D-B72164C80120}

{A8A88C49-5EB2-4990-A1A2-0876022C854F}

Opera\Opera\operaprefs.ini

\profile\operaprefs.ini

\prefs.js

network.cookie.cookieBehavior

Mozilla\Firefox\Profiles\

/login/;/tweet/;action=embed-flash;/faq/;/terms/;/contact/;/Forgotpassword/;d.gossipcenter.com/ck.php

hXXp://%s/?xurl=%s&xref=%s

ole32.dll

winmm.dll

atl.dll

oleaut32.dll

clk=%s&bid=%s&aid=%s&sid=%s&rd=%s

n%D,3

Global\6C29A0C8-62C6-415C-9538-B87690BC58D2

lsash.xp

%d|%d|%s|%s

cmd.dll

cmd64.dll

setup.exe

%[^=]=%[^|]|%[^|]|%[^

%s %s

%d|%s|%s

%s=%d|%s|%s

%[^.].%[^(](%[^)])

command|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s|%s

masks|%s

hXXp://NO REF/

.softgeek.

%s#%s

url|%s%s|

%s.dll

kernel32.dll

12345678

0123456789

.text

.rdata

HTTP/1.1 302 Found

Location: %s

HTTP/1.1 200 OK

Content-Length: %d

%sConnection: close

<body><a id=link target=_top></body><script>var url='%s';try{var x=document.getElementById('link');x.href=url;x.click()}catch(e){try{var x=parent?parent:window;x.location.replace(url)}catch(e){}}</script><noscript><META http-equiv="refresh" content="0;URL='%s'"></noscript>

<iframe src='%s' style='visibility:hidden;'></iframe>

<script>history.back()</script>

Set-Cookie: %s; expires=%s, u-%s-u u:u:u GMT

urlmon.dll

Global\56684A82-D074-4384-AEB9-D1A40041D9FB

chrome

wermgr.exe

-queuereporting_svc

firefox

opera

svchost.exe

ping.exe

127.0.0.1 -t

Global\B10C62E4-234C-4BF6-A1D5-1C0309CED145

Global\D6E9C81C-3831-4873-96BA-7C98D2DEBEF9

Global\a68d7de8-eba6-4a54-90e0-9cb9d93b3ed7

Global\cc51461b-e32a-4883-8e97-e0706dc65415

keywords

Accept-Language: %s

%s hXXp://%s/?xurl=%s&xref=%s

1.8|%s|%s|%s|%s|%s|%s

software\classes\http\shell\open\command

<>:"/\|?*

%s-%s

. d SP.%s

google;yahoo;bing.;live.com;msn.com;altavista.com;ask.com;exalead.com;excite.com;dogpile.com;metacrawler.com;webcrawler.com;alltheweb.com;.lycos.;gigablast.com;cuil.com;.aol.;entireweb.com;.search.com;mamma.com;mytalkingbuddy.com;about.com;conduit.com;alexa.com;alltheinternet.com;blinkx.com;aolcdn.com;othersonline.com;everesttech.net;adrevolver.com;tribalfusion.com;adbureau.net;abmr.net;gstatic.com;virtualearth.net;atdmt.com;ivwbox.;powerset.net;yimg.com;2mdn.net;doubleclick.net;iwon.com;scorecardresearch.com;66.235.120.66;66.235.120.67;ytimg.com;infospace.com;edgesuite.net;superpages.com;lygo.com;compete.com;firmserve.com;worthathousandwords.com;yieldmanager.com;wazizu.com;meedea.com;atwola.com;doubleverify.com;tacoda.net;truveo.com;openx.org;adcertising.com;twimg.com;picsearch.com;oneriot.com;.com.com;flickr.com;searchvideo.com;.tqn.com;myspacecdn.com;fimservecdn.com;alexametrics.com

%u|%u

ver=%s&bid=%s&aid=%s&sid=%s&rd=%s&eng=%s&q=%s

hXXp://%s%s

VVV.google.

search.yahoo.com

.altavista.com

/web/results

.ask.com

VVV.exalead.com

/search/web/results

VVV.alltheweb.com

search.lycos.

tab=web

gigablast.com

cuil.com

.aol.

entireweb.com

md=web

VVV.search.com

VVV.mamma.com

mytalkingbuddy.com

searchservice.myspace.com

type=web

search.conduit.com

search.toolbars.alexa.com

alltheinternet.com

/ws/results/web/

?xurl=

http/1.

mozilla

windowsupdate

2980041442

1495542759

\\?\globalroot\device\00000613\585ccbd5\lsash.xp

C:\Windows\system32\svchost.exe

\\?\globalroot\device\00000613\585ccbd5

\\?\globalroot\device\00000613\585ccbd5\cfg.ini

WinExec

SHEnumKeyExA

ExitWindowsEx

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoW

InternetCrackUrlA

`.rdata

@.data

.reloc

.]TCp

KERNEL32.DLL

ADVAPI32.dll

imagehlp.dll

ntdll.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

WININET.dll

WebBrowser

127.0.0.1

/c.php?

.google.

%s-%d

eplorer\iexplore.exe" -nohome

spoolsv.exe_1224_rwx_00710000_00027000:

.text

`.rdata

@.data

.config

.reloc

t%SSS

N. d SP.

%x%x%x%x%x%x

%s|%s|%s|%x|%x|%s|%x|%x|prn15

%[^;];%[^;];%[^;];

kernel32.dll

ntdll.dll

\\?\globalroot\systemroot\system32\kernel32.dll

%s\cfg.ini

%s\config.ini

%s\drv32

cmd.dll

%s\bckfg.tmp

%s\cmd.dll

%s\cmd64.dll

%[^|]|%[^|]|%s

system\currentcontrolset\services\%x

\\?\globalroot%s\cmd.dll

\\?\globalroot%s\cfg.ini

\\?\globalroot%s\bckfg.tmp

%d.%d.%d %d:%d:%d

\\?\globalroot%s\ldr16

\\?\globalroot%s\ldr32

\\?\globalroot%s\ldr64

\\?\globalroot%s\drv64

\\?\globalroot%s\cmd64.dll

cmd64.dll

\\?\globalroot%s\drv32

\\?\globalroot\systemroot\system32\kdcom.dll

\\?\globalroot\systemroot\system32\hal.dll

\\?\globalroot\systemroot\system32\ntoskrnl.exe

\\?\globalroot\systemroot\system32\drivers\etc\hosts

aid=%s

sid=%s

installdate=%s

*=cmd.dll

* (x64)=cmd64.dll

[cmd]

srv=%s

wsrv=%s

psrv=%s

cfg.ini

bckfg.tmp

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"><ms_asmv2:security><ms_asmv2:requestedPrivileges><ms_asmv2:requestedExecutionLevel level="requireAdministrator"></ms_asmv2:requestedExecutionLevel></ms_asmv2:requestedPrivileges></ms_asmv2:security></ms_asmv2:trustInfo></assembly>

ZwConnectPort

spoolsv.exe

GetWindowsDirectoryW

KERNEL32.dll

RegCreateKeyA

RegCloseKey

ADVAPI32.dll

SHDeleteKeyA

SHLWAPI.dll

imagehlp.dll

PSAPI.DLL

RPCRT4.dll

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestA

WININET.dll

ShellExecuteW

SHELL32.dll

ole32.dll

WINSPOOL.DRV

.pnLu

`.reloc

kdcom.dll

ntoskrnl.exe

`.pdata

\8<%d

"= >%S

sUkEYd

.fJaI

RoÌ

.Aj`J

.PFkX

:F-I}|

.JOf~

u"%cO

\{x-x-x-x-xx}

\registry\machine\%S

\??\physicaldrive%d

services.exe

\??\globalroot\systemroot\system32\tasks\%x

\\?\globalroot%s

%s.manifest

%s\setup%u.exe

r\\?\globalroot%s

spoolsv.exe_1224_rwx_01DD0000_00042000:

.itext

.rdata

.rsrc

@.reloc

comdlg32.dll

GDI32.dll

SHLWAPI.dll

VkKeyScanA

GetKeyNameTextW

USER32.dll

CreateNamedPipeW

KERNEL32.dll

Windows_NT

windows_Nt

@Cu%x

e).MV

.zVAT

.scoL

%X:q#e

U%FXA

?)D{.bV

.hfhZ

.ORET/

%x*`.

R:\zezmlO\gjbf\mjpmnow.pdb

GFmFnP86.exe

4"4&4,40464:4

0 1$1*1.14181

5#5)51575

H:\HGJHGJH\SGKSJGJHSGJHGS\SKJHKJH\

VVV.hkjdh.com/../dsajdh/./sdasda/../asdasd

Y:\HIUDYIUG\OOOOOOOOOOOOOOO\SJHKJSHKJHDKJHDKJH\

C:\win\desktop\temp.txt

c:\win\tray\sample.txt

Y:\hiudyiug\ooooooooooooooo\sjhkjshkjhdkjhdkjh

Explorer.EXE_2024_rwx_10000000_00001000:

.text

`.data

.reloc

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:2956
vurbo.exe:2044
sgacPDc4D6eg.exe:2932
rundll32.exe:3492
turbo.exe:1780
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\bxstat.dll (57 bytes)
C:\Users\"%CurrentUserName%"\vurbo.exe (1124 bytes)
C:\Users\"%CurrentUserName%"\sgacPDc4D6eg.exe (2065 bytes)
C:\Users\"%CurrentUserName%"\wurbo.exe (56 bytes)
C:\Users\"%CurrentUserName%"\xurbo.exe (36 bytes)
C:\Users\"%CurrentUserName%"\bxstat.exe (56 bytes)
C:\Users\"%CurrentUserName%"\turbo.exe (1302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\vevdedg.dll (113 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsABE8.tmp (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scsABF8.tmp (269 bytes)
C:\Users\"%CurrentUserName%"\rentsvr.exe (320 bytes)
C:\Users\"%CurrentUserName%"\vuiokuz.exe (2001843 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\A0FF.tmp (673 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"vuiokuz" = "C:\Users\"%CurrentUserName%"\vuiokuz.exe /P"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Hwejagubina" = "rundll32.exe C:\Users\"%CurrentUserName%"\AppData\Local\vevdedg.dll,Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"vuiokuz" = "C:\Users\"%CurrentUserName%"\vuiokuz.exe /z"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.